US12363174B2ActiveUtilityA1

Cloud-based security service that includes external evaluation for accessing a third-party application

66
Assignee: CLOUDFLARE INCPriority: Jun 20, 2022Filed: Dec 4, 2023Granted: Jul 15, 2025
Est. expiryJun 20, 2042(~15.9 yrs left)· nominal 20-yr term from priority
H04L 63/102H04L 63/0807H04L 63/20
66
PatentIndex Score
0
Cited by
12
References
17
Claims

Abstract

A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method in a server providing a cloud-based security service, comprising:
 receiving, from a client device at the cloud-based security service, a request to access a third-party application; 
 determining an identity of a user associated with the request; 
 determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
 an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and 
 an external evaluation rule; 
 
 enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria; 
 enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request; 
 receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and 
 granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed. 
 
     
     
       2. The method of  claim 1 , wherein granting access to the third-party application includes transmitting the request to the third-party application. 
     
     
       3. The method of  claim 1 , further comprising:
 wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and 
 transmitting the request to the third-party application. 
 
     
     
       4. The method of  claim 1 , wherein determining the identity of the user associated with the request includes:
 causing the client device to transmit an authentication request to an identity provider; and 
 receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider. 
 
     
     
       5. The method of  claim 1 , further comprising:
 wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and 
 enforcing the device posture rule including:
 transmitting a request for device posture status of the client device to an endpoint protection provider, 
 receiving a response to the request for device posture status of the client device from the endpoint protection provider, and 
 determining that the device posture status of the client device meets the specified criteria in the device posture rule. 
 
 
     
     
       6. The method of  claim 1 , wherein the cloud-based security service acts as a service provider on behalf of the third-party application. 
     
     
       7. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor of a server providing a cloud-based security service, will cause said processor to perform operations comprising:
 receiving, from a client device at the cloud-based security service, a request to access a third-party application; 
 determining an identity of a user associated with the request; 
 determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
 an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and 
 an external evaluation rule; 
 
 enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria; 
 enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request; 
 receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and 
 granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed. 
 
     
     
       8. The non-transitory machine-readable storage medium of  claim 7 , wherein granting access to the third-party application includes transmitting the request to the third-party application. 
     
     
       9. The non-transitory machine-readable storage medium of  claim 7 , wherein the operations further comprise:
 wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and 
 transmitting the request to the third-party application. 
 
     
     
       10. The non-transitory machine-readable storage medium of  claim 7 , wherein determining the identity of the user associated with the request includes:
 causing the client device to transmit an authentication request to an identity provider; and 
 receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider. 
 
     
     
       11. The non-transitory machine-readable storage medium of  claim 7 , wherein the operations further comprise:
 wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and 
 enforcing the device posture rule including:
 transmitting a request for device posture status of the client device to an endpoint protection provider, 
 receiving a response to the request for device posture status of the client device from the endpoint protection provider, and 
 determining that the device posture status of the client device meets the specified criteria in the device posture rule. 
 
 
     
     
       12. The non-transitory machine-readable storage medium of  claim 7 , wherein the cloud-based security service acts as a service provider on behalf of the third-party application. 
     
     
       13. A server providing a cloud-based security service, the server comprising:
 a processor; and 
 a non-transitory machine-readable storage medium that provides instructions that, if executed by the processor, will cause the server to perform operations including: 
 receiving, from a client device at the cloud-based security service, a request to access a third-party application; 
 determining an identity of a user associated with the request; 
 determining, at the cloud-based security service, a set of one or more access policies that are configured for accessing the third-party application, wherein the set of one or more access policies includes:
 an identity-based access rule that specifies criteria the identity of the user associated with the request must meet to satisfy the identity-based access rule, and 
 an external evaluation rule; 
 
 enforcing the identity-based access rule including determining that the identity of the user associated with the request meets the specified criteria; 
 enforcing the external evaluation rule including transmitting an external evaluation request to an external endpoint defined in the external evaluation rule, wherein the external endpoint is external to the cloud-based security service and is controlled or managed by an owner or operator of the third-party application, and wherein the external evaluation request includes an identity of a user associated with the request; 
 receiving, from the external endpoint defined in the external evaluation rule, an external evaluation response that is responsive to the external evaluation request, the external evaluation response specifying that an external evaluation has passed; and 
 granting access to the third-party application based at least in part on receiving the external evaluation response specifying that the external evaluation has passed. 
 
     
     
       14. The server of  claim 13 , wherein granting access to the third-party application includes transmitting the request to the third-party application. 
     
     
       15. The server of  claim 13 , wherein the operations further comprise:
 wherein granting access to the third-party application includes setting an authorization cookie or token and redirecting the client device to transmit the request again with the authorization cookie or token; and 
 transmitting the request to the third-party application. 
 
     
     
       16. The server of  claim 13 , wherein determining the identity of the user associated with the request includes:
 causing the client device to transmit an authentication request to an identity provider; and 
 receiving, from the client device, an authentication response that was generated by the identity provider that identifies the user and signifies the user has successfully authenticated to the identity provider. 
 
     
     
       17. The server of  claim 15 , wherein the operations further comprise:
 wherein the set of one or more access policies further includes a device posture rule that specifies criteria related to device posture in which the client device must meet for satisfying the device posture rule; and 
 enforcing the device posture rule including:
 transmitting a request for device posture status of the client device to an endpoint protection provider, 
 receiving a response to the request for device posture status of the client device from the endpoint protection provider, and 
 determining that the device posture status of the client device meets the specified criteria in the device posture rule.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.